Kernel Exploits, how they work and why they are scarce.

Starting with the release of pre-IPL consoles, kernel exploits have become a must in order to run CFW on our beloved PSPs. This trend passed down to the Vita in the same manner, but, are psp kernel exploits doomed to disappear?

To understand more on the matter, I will go a bit deep on how kernel exploits are found as opposed to usermode exploits. First of all, the method of exploiting is extremely different, for usermode exploits you use simple techniques such as buffer overflow or garbage injection to get control of registers that will be used to jump to our unsigned code, normally this register is $ra, but it can be any if the code is right. Kernel exploits don’t work like this. First you need to disassemble all flash0 modules, then you need to look at all the functions one by one to figure out if they can be exploited or not.

Secondly we also have the medium where exploits occur. For usermode these exploits are found in PSP games, for kernel mode they are found in kernel functions.

This is simple: there are thousands of PSP tittles, a good chunk of them on the PS Vita store, a good proportion of exploitable ones, and new minis coming out very often, on the other hand, there’s only a few kernel functions, only some of them are user-callable (means they can be called from user space), and most of them already have k1 or arg checks (the checks Sony does to secure such functions), on top of that, Sony doesn’t make new functions so often as it’s mostly not needed, sometimes they do quite the opposite, they dummy out unnecessary functions to return generic “ok”. This means that while the number of usermode exploits and possible usermode exploit grows, the number of kernel mode exploits is going down.

Knowing this, we can go back to the history of kernelmode exploits from the 6.XX era.

The first kernel exploit in this era was released by Total_Noob, soon after that some1′ 0xFFFFFFFFailSploit came out for 6.3X, and then the kermit_wlan exploit by frostegater. I have intentionally skipped others as I want to focus on these so you can understand how lucky we were to have these. Kernel exploits is not something we find because we know where to look at, we don’t know which function will contain it, and we will never know how this exploit will work if we don’t look very well. Most kernel exploits come from Sony’s mistake, mistakes that are huge when you look at it from the perspective of a company with thousands engineers at its disposal. Knowing this, let’s analyze those three exploits so you can see why we were lucky and were helped mostly by Sony’s incompetence.

Total_Noob’s 6.20 exploits relied on a mistake done to the k1 check by shifting it twice, wait what? yeah I know, I’m going a bit fast here, so lets pause for a second to understand what this k1 check is. When a kernel function is called from user space, interrupt manager sets the k1 register to 0x100000. This is done because most functions will shift this value by 11 bits, so k1 becomes 0x80000000. This value is usually and’ed and or’ed with the function arguments so that if any of those arguments contain a kernel address (example: 0x80FFAA22) then the result will be 0x80000000, this is checked for negativity, usually by checking if the value is lower than 0. The binary representation of 0x8 is 1000, in two’s compliment any number starting with 1 is negative, so 0x80000000 is negative and the system will refuse to accept the arguments you’ve provided. Now back to TN’s exploit, this exploit resided in a function that shifted k1 by 11, everything good so far, we’ve already learned that this how the system checks for kernel values, the problem comes when this function calls another function before doing any actual argument check, and this other function shifts k1 again, so it becomes 0x40000000000, but the k1 register is only 32 bits to it overflows, becoming 0x00000000, with k1 set to this value all argument checks pass (because an and between 0x00000000 and any other value will always return 0x00000000), after all this hassle, the system branches to a loc_ where there are instructions to write to memory, letting us nop out pretty much whatever we want.

After this one, the second mayor mistake by sony was in some1’s exploit. This function didn’t have any k1 check but it did check for arguments, problem is instead of returning an error upon detecting incorrect arguments they continued to do some other code, one which was a store word, that allowed us to write -1 wherever on memory. (you can read more explanations on this exploit by some1 himself here)

This brings me to the last of the 3, frostegater’s exploit. This one was even simpler than the other ones, it was just one function that didn’t have any argument checks nor k1 checks, and it flat out had a sw command that we could directly use.

All these mistakes are the ones that have allowed us to run our backup games and homebrews with almost perfect compatibility. But as you can see it’s hard for a company like to sony to make these mistakes, and even harder to make them twice. On top of this, we have kernel functions already patched, and no new ones coming out, and when they so, they usually already have the kernel checks.

We’ve all enjoyed our sweet eCFW, but now they are so scarce that some believe only one is left. Even if there are more, a time will come when Sony would have effectively patched all functions, possibly before we can even get to them.

Meanwhile, enjoy VHBL, cause it’s the only thing you’ll be seeing for a while, and I personally believe it’s best, as to stop piracy on its feet.

Yeah, I’ve been debating buying another Vita. If Phantasy Star Online 2 comes to the Vita in the US, I will be playing it. Plus the games I’ve been anticipating should start raining into the lineup soon. As a sidebonus, I can use my eCFW Vita to multiplayer PSP ad-hoc games with my friends, but I already have 2 PSPs for that.. Right now the only advantages I have of the eCFW are: I can play Phantasy Star 2 on my Vita, I have an endless Nyan Cat animation on my Vita, I can make ISOs of my UMDs(that I don’t play anymore anyway) using my PSPs and play the ISOs on my Vita. I really don’t want to miss out on CFW for the Vita if the attack vector is through the eCFW though. I hate the GUI for the Vitas menu and I’m probably willing to drop 300 usd just on the offchance that I may someday be able to do something about it.

The good thing about having no piracy is that for once noone can blame piracy for the lack of software releases. Looks like a device can fail all by itself, without piracy being there to take the blame. Who would have thought.

That is because the wii had almost exactly the same anti-piracy measures as the gamecube, the main one being that they reversed the data on the discs. Because of that, the wii was hacked (in theory) before it even launched! The thing is, the gamecube was a regular console with a broad spectrum of games, while intendo shifted it’s audience to kids/family with the wii. That was the wii’s biggest copy protection, the audience. Ever seen a 45 year old mom and her 12 year old son install CFW? 😛

actually, that’s what made the wii more prone to hacking. Kids don’t have any money to buy games, so it’s simpler for them (and the parents) to pirate those games. Oh and I think that thing about the reversed blocks is not true. I’m not an expert but I’ve hex edited GC isos and the data looks normal, GC discs only have a special dye that only the modified GC laser can read, plus it has a purposely damaged TOC (the burst cutting area) so standard DVD readers wouldn’t even detect the disc.

It’s interesting, the whole playstation scene (and I mean all of it) is screaming for cfw, the psp scene, the ps3 scene, the vita scene. On the contrary the nintendo scene, especially the ds dsi and 3ds scene is not into cfw, there has been a cfw for the nds but its an old story that never got far as the more and faster advancing flash carts took over. Also the same was for the gc and wii, there never was a gc cfw and in the beginning of the wii, there was only the wiikey and no cfw. And now we are slowly seeing the end of “cfw” as we know it, as real software weaknesses are progressively patched out. I don’t say there is no way at all (where a will is, is a way) but it will become harder and harder. Ultimately leading us back to hardware solutions to trick the software like its already done a million times. Some may think “i don’t support paid piracy” thus no mod chip but that is moral and ethic and those differ from person to person. The downside to “hardware” solutions is, that upon a change it might become “unable” what this chip is supposed to do (seen a trillion times on the dsi,3ds,xbox,360). So the ps scene should be thankful what has been accomplished as on other scenes something like that never really took of.

you can’t have cfw on systems that don’t even have a firmware (case of the gamecube), and in the case of the nds a cfw would do nothing as you still needed a cart to adapt SD cards. As for the wii, I believe modchips were necessary for tweaking the laser into reading standard DVDs

Well the gamecube had a bios, pal, ntsc, ntsc-j and ntsc-k, there were bios mods, available through a mod chip (viper gc extreme) I had one of those myself. With different bios on banks, you were able to load imports without probs, that was the main advantage. And for the ds there was a cfw called “flash me”, afaik developed from the (in)famous hacker darkfader who also made the only two available r0ml0ader firmware destroyers. 😉 And flashcarts (slot 2) were already available by that time as chishm had already written the dldi. There were even mods for the gba slot to hook up a cf or microdrive. Yeah for the wii, the first modchip was from “wiikey” which was based on the “xeno-gc” chip, infact it was a xeno gc on a different small piece of pcb, same chip. And yes, it did trick the wii in believing it was a original disk by always answering the checks and overlaying the “ok” signal directly on the drive chip pins.

Personally I play my emus on my psp and my isos. I liked ecfw but whats the point psp can play ps1 and psp plus emus. Just get a psp why buy a $300 system again. Also you can upgrade a psp stick to 100 gigs in mem.

how are they not scarce when no body with the knowledge to find them is interested? there might be a thousand out there, there’s simply not enough devs interested in the tedious process of finding one and then release it for some kids that only wanna pirate games and give nothing back, most of the time not even a simple “thanks”. Just go back to the posts made around the time frostegater announced his exploit, there’s loads of comments from people urging him to release it, calling him an idiot, and telling me to shut up about my retro gaming posts because they wanted “the damn exploit from that idiot frostegater”

You’re dead right, but you’ve got the argument wrong; devs are scarce, not exploits. I know how selfish the PSP scene is, I don’t need an education in that. The reason devs are leaving isn’t just because of that though, there is a lack of achievement on the PSP now. Everything meaningful has been discovered and homebrew devs have other platforms that offer better functionality and a more official toolset (Android, IOS, Win8, etc). It’s unlikely a developer is going to invest time reversing the BT functionality for no developers to jump onto the bandwagon and write useful apps. It is really kind of supply and demand. However, if you’re not interested in eCFW and kernel exploits because of piracy, try and enhance HBL. I’m almost certain every game can run under HBL conditions if work is given to investigate p5.

I just want to say that there positively are more than one left. However saying there are plenty left is a exaggeration. I do agree that HBL could be upgraded and improved but finding someone with any free time or the will to do so is the issue.

This is a time where I wish the comments system here wasn’t so limited, because this is an interesting discussion.

There are lots of interesting things remaining in the user mode that could be investigated. HBL could indeed be dramatically improved to largely increase compatibility if some people still had time to work on it. There are some techniques that nobody cared to implement which would help a lot, including things that used to be major “secrets” but that could be harmlessly released today I think.

Sorry but this really wasn’t all that well written lol, for those of us that are actually experienced with exploitation of various systems outside the PSP/VITA/Consoles in general.

We get it sure, but the general public who download and use these exploits aren’t going to understand it at all, and while these exploits are rare to find and are of course being patched all the time that’s when some researcher finds some backdoor to keep accessing a kernel level and never releases it there will always be private exploits people keep in their hands.

Maybe not in the case of the PSP due to the fact that it’s already been hacked beyond belief but the one way to reliably be able to reverse engineer feature code is to actually have access to it meaning a ‘hacker’ who’s intention is to release an exploit to the public usually follows the general principle of keeping one for them selves to still be able to audit the new code they wouldn’t have access to without an exploit.

While this isn’t an issue in most non-console exploitation it is when it comes to console exploitation because we have limited access to the code and if that access were to be restricted we’d pretty much get sc***.

Regardless with all of the above being said it’s not that I disagree but I’d like to state any large Company even those bigger then Sony, even when the software isn’t being updated exploits are ALWAYS being discovered.

Older versions of Windows still have various 0-days in them, just a few years ago the TCP/IP stack on linux had an issue in it that had been there for 10 years and gone un-discovered.

It just goes to show researchers aren’t always going to find every single little exploit in the life span of the console and Sony isn’t going to patch every single little exploit throughout the life span of the console.

Beyond that the next step when exploits grow thinner in the kernel of the PSP emulator ( Which hacking such isn’t impressive anymore at all, considering Nintendo made this same mistake when it came to the Wii U and Wii Emulation, Where as M$ seem to be the only ones that did not make the mistake… with the 360 )

People need to step it up, While intending to run Homebrew without promoting Piracy on the system with a certain level of access to the VITA it should be possible to Overwrite the Firmware being used within the PSP Emulator.

In no means am I saying I have the capability of doing this, have done this or such.

I’m just saying you’re being so dramatic about PSP Kernel exploits growing thin, when there’s a whole other world of exploitation which has yet to have been explored to the fullest extent due to the fact it seems everyone gave up on the VITA it’s self and moved onto “Oh well, We can execute unsigned code with less power or capabilities this way goal reached!”.

>should be possible to Overwrite the Firmware being used within the PSP Emulator. Its not, it would reset. Before attacking something atleast know the foundation.

>In no means am I saying I have the capability of doing this, have done this or such. Then why talk?

>I’m just saying you’re being so dramatic about PSP Kernel exploits growing thin, when there’s a whole other world of exploitation which has yet to have been explored to the fullest extent due to the fact it seems everyone gave up on the VITA it’s self and moved onto “Oh well, We can execute unsigned code with less power or capabilities this way goal reached!".

The ignorance in that one post makes me cringe. Right, like no one is trying at all to hack natively. Like it isnt harder than the sorry excuse of security the PSP had. Like there are still devs willing to do such hard work for people like you who complain. No one gave up, contrary to your theory. Either do it yourself or quit telling others to get better. You cant bite the hand that feeds.

Everyone has to be a critic! If you don’t like the article..Don’t read it! If your going to criticize this man’s or women’s work. Then start your own site, and post your own thread. I for one appreciate everyone here at this site who post information about hacking and trying to explain how it is all done! Thank you Acid_Snake for all your hard work and time! I know I’m not the only one who appreciates you work and effort

I’m starting to think that people who write comments here are scared of using the enter key…

Reading through the comments it’s all jumbled together like one long sentence or paragraph in some cases really annoying to read guys.

@smitty88oh, I was being a critic but that’s not always a bad thing there is corrective or good criticism and that’s necessary to teach/help/or give advice to someone when their articles aren’t fully understood by the general public.

Which is what I was getting at and my point was proven by someone else saying they didn’t understand a single iota of what was said.

Beyond that I was also stating that what he said was factually incorrect in certain ways as while exploits in theory would get thin it’s not common that this actually happens with the life span consoles currently maintain.

That user never proved your point! I am willing to bet that Chuckthetekkie is the type of person that doesn’t know how to hack, Just reads instructions on how to do this or that. And that’s his ideal of hacking. Download this put the file here and i’m good to go..I am a hacker now!! I know I could be completely wrong! I know how to hack gaming consoles along with computers. So I understood a good deal of what Acid_Snake wrote. The fact that someone called you a critic. You decided to go on the defense and attempt to prove yourself right!

Could the article been written better? Of course it could. Nothing is ever perfect!